Los Hackers no descansan ni con el COVID-19

No es algo nuevo, las crisis generan nuevas oportunidades de negocio. El ransomware no es un negocio nuevo, pero los ciberdelincuentes están aprovechando la crisis del COVID-19 para tratar de llegar a más víctimas.

A raíz de la crisis, algunas mafias prometieron no atacar al sector sanitario (puede verse detalle en este enlace). Lejos de cumplirse dicha promesa, se han identificado múltiples casos de intento de extorsión, campañas de ransomware y ataques de phishing a empresas del sector sanitario. También se han detectado campañas que utilizan temáticas relacionadas con el COVID-19 para tener mayor probabilidad de éxito en el ataque.

Los delincuentes se mueven principalmente por motivos económicos y, desgraciadamente, los atacantes saben que las organizaciones sanitarias se encuentran en una situación mucho más vulnerable de lo habitual, lo cual incrementa la probabilidad de que se ceda a extorsiones.

Si quieres más información para evitar que tu empresa sea la próxima víctima de los ciberdelincuentes, descárgate nuestra Guía Rápida, donde encontrarás los consejos y las soluciones para estar protegido:

DESCARGAR GUÍA RÁPIDA

Finalmente, a modo informativo, os adjuntamos algunos ejemplos de ataques que se están produciendo relacionados con la temática del COVID-19:

Los ciberdelincuentes utilizan correos electrónicos con información sobre el COVID-19 para realizar estafas. Los ciberdelincuentes utilizan correos electrónicos con información sobre el COVID-19 para realizar estafas.

Los ciberdelincuentes utilizan correos electrónicos con información sobre el COVID-19 para realizar estafas.Los ciberdelincuentes utilizan correos electrónicos con información sobre el COVID-19 para realizar estafas.

Los ciberdelincuentes utilizan correos electrónicos con información sobre el COVID-19 para realizar estafas.

Proofpoint and Open3s strongly encourages customers to verify the following on their systems.

Several organizations have been impacted today by the ransomware known as Petya,  or Petrwrap.   At this time, the distribution vector is still unconfirmed but it appears to be spreading via network similar to WannaCry, although the capacity for an email vector exists.  Like WannaCry, this Petya outbreak appears to potentially be leveraging SMB network protocols to spread itself.

 

Proofpoint strongly encourages customers to verify the following on their systems. 

    (A)  Ensure that the .exestrip rule is enabled in PPS; this will stop any .zip/.js or inbound raw executables in email.

    (B)  Enabling blocking of password-protected compressed files is also suggested, at least during this outbreak period

    (C)  Proofpoint TAP customers have an additional layer of protection against other potential email vectors, as URL-based or office-document-based encapsulation will be subject to behavioral analysis by TAP. 

    (D)  Ensure systems are patched against the vulnerability described in bulletin MS17-010 (allows the execution of remote commands through Samba / SMB). It is unconfirmed that this stop the new Petya outbreak, but patching will mitigate risk of infections from residual WannaCry activity.

    (E)  Deploying Proofpoint ET signatures for IDS, which we have verified will enable identification and blocking of network command & control / phone-home and worm activity by this ransomware

As always, please report any confirmed “false negatives” (eg, threats that appear to have used a Proofpoint-protected vector to gain entry) immediately — but note that at this time, we have no reports of such events at Proofpoint customers.

UPDATE:

(A)  What is the Payload?

While there has been some debate in the research community over whether the payload is “Petya”, or “Petya-like”, there seems to be common agreement that the payload is ransomware that most likely encrypts the Master Boot Record (like Petya). 

 

(B)  What is the distribution mechanism?

The ransomware package appears to attempt both the EternalBlue SMB exploit as well as Windows utilities PsExec (“a Telnet alternative”) and Windows Management Instrumentation Command-line (WMIC) (“a command-line and scripting interface”) for distribution and initiation.

 

While there are no confirmed reports of transmission via email, there are currently large email campaigns distributing “KaroCrypt”; Proofpoint is actively blocking these as well.   Like the confusion between WannaCry and Jaff, we anticipate some confusion between KaroCrypt and this Petya-like malware.

 

(C)  Where did it start?

There are widely reported but unconfirmed attribution (including the me-doc website) suggesting that the Ukranian accounting software system “MeDoc” was compromised to distribute the malware via standard update mechanisms last night.  Once introduced into an intranet, the mechanisms in (B) would rapidly spread the malware to other connected systems that were ether unpatched for EternalBlue or left open for PsExec and WMIC.

 

(D)  How do I detect and block this?

The guidance issued in the original bulletin still holds; specifically, for network detection, ensure you have updated IDS signatures

2012063:  ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference  and

2024297: ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010

 

Please note that this is still an active investigation; details are still being verified and are subject to change.